CVE-2017-14316
xen - security update
8.8
HIGH
CVSS 3.1
EPSS 0.04%
Description
A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array.
How to fix CVE-2017-14316
To remediate CVE-2017-14316, upgrade the affected package to a fixed version below.
- —upgrade to 4.9.0-r4 or later
- —upgrade to 4.8.2+xsa245-0+deb9u1 or later
- —upgrade to 4.4.4lts2-0+deb8u1 or later
- —upgrade to 4.8.2+xsa245-0+deb9u1 or later
Is CVE-2017-14316 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 4.9.0-r4
- from 0, < 4.8.2+xsa245-0+deb9u1
- from 0, < 4.4.4lts2-0+deb8u1
- from 0, < 4.8.2+xsa245-0+deb9u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |